From: Mike Snitzer <snitzer@redhat.com>
To: dm-devel@redhat.com, linux-scsi@vger.kernel.org
Cc: mpatocka@redhat.com, hare@suse.de
Subject: Re: [PATCH 2/2] dm mpath: attach scsi_dh during table resume
Date: Mon, 22 Apr 2013 18:33:56 -0400 [thread overview]
Message-ID: <20130422223355.GA4803@redhat.com> (raw)
In-Reply-To: <1365457816-31475-2-git-send-email-snitzer@redhat.com>
On Mon, Apr 08 2013 at 5:50pm -0400,
Mike Snitzer <snitzer@redhat.com> wrote:
> Preallocate scsi_dh_data using scsi_dh_alloc_data() during table load
> but attach the scsi_dh for each path during table resume. This avoids a
> kernel crash that can happen when changing the scsi_dh during table
> load.
>
> When we reload a multipath device, there are two instances of the
> multipath target - the first instance that is active and the second
> instance that is being constructed during table load with "ctr" method.
>
> If the multipath constructor finds out that the device is using a
> different device handler, it detaches the existing handler and attaches
> a new handler. However, the first instance of the multipath target still
> exists and processes requests. If the first instance sends some
> path-management request with scsi_dh_activate and the second instance
> detaches the device handler while the path-management request is in
> flight, a crash happens. The reason for the crash is that the endio
> routine for the path-management request is working with structures that
> were freed when the handler was detached.
>
> References:
> http://bugzilla.redhat.com/912245
> http://bugzilla.redhat.com/902595
While this patch addresses the problem of switching the SCSI device
handler prematurely (during load rather than resume) it doesn't do
anything to defend against the use after free NULL pointers that are
possible with the scenario explained above (and as detailed in the
referenced BZs).
I spoke with Hannes at LSF, to address the potential crashes in the
endio path (e.g. stpg_endio) we'd have to bump the scsi_dh_data kref
where appropriate (e.g. for ALUA kref_get in submit_stpg and kref_put in
stpg_endio).
But that is just the tip of the iceberg relative to scsi_dh lifetime.
Seems we've been playing it pretty fast and loose with scsi_dh issued
requests vs detach for quite some time.
I'm now inclined to not care about this issue. Take away is: don't
switch the device handler (attach the correct one from the start).
next prev parent reply other threads:[~2013-04-22 22:33 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-03 0:04 [PATCH] dm-mpath: do not change SCSI device handler Mikulas Patocka
2013-04-03 13:32 ` Mike Snitzer
2013-04-03 20:54 ` Mikulas Patocka
2013-04-04 6:47 ` [PATCH] " Hannes Reinecke
2013-04-04 12:24 ` Mike Snitzer
2013-04-04 12:55 ` Mikulas Patocka
2013-04-04 13:16 ` Mike Snitzer
2013-04-04 13:36 ` Mikulas Patocka
2013-04-04 14:20 ` Mike Snitzer
2013-04-04 15:13 ` Mikulas Patocka
2013-04-04 15:38 ` Mikulas Patocka
2013-04-08 21:50 ` [PATCH 1/2] [SCSI] scsi_dh: add scsi_dh_alloc_data Mike Snitzer
2013-04-08 21:50 ` [PATCH 2/2] dm mpath: attach scsi_dh during table resume Mike Snitzer
2013-04-22 22:33 ` Mike Snitzer [this message]
2013-04-25 13:48 ` Mikulas Patocka
2013-04-25 14:17 ` Mike Snitzer
2013-04-25 14:50 ` Mikulas Patocka
2013-04-25 15:27 ` Bryn M. Reeves
2013-04-25 15:37 ` Mike Snitzer
2013-04-25 15:44 ` Bryn M. Reeves
2013-04-25 15:31 ` Mike Snitzer
2013-04-26 6:05 ` Hannes Reinecke
2013-04-26 13:29 ` Mike Snitzer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130422223355.GA4803@redhat.com \
--to=snitzer@redhat.com \
--cc=dm-devel@redhat.com \
--cc=hare@suse.de \
--cc=linux-scsi@vger.kernel.org \
--cc=mpatocka@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.